Using Let's encrypt certificate of Synology NAS

Configuration
41

Ok, it works finally. Here are the things I changed which might have fixed it:

  1. Removed router port forward (443), then re-added.
  2. Removed Reverse proxy setting, then re-added.
  3. This is what probably, fixed it: Removed ssl_certificate and ssl_key lines from the configuration.yaml file. Note, I tried re-adding these and it actually made it to the homeassistant log-in page, but it timed out eventually and said it could not connect. I then removed these lines again and re-tested and it worked again.

Note, I am using “https://xxx.myds.me” to connect to homeassistant, so I need to use “https://xxx.myds.me:5001” to connect to the Synology web interface. It would be nice if I could use “https://xxx.myds.me/ha” to connect to home assistant instead… I remember seeing something in the location section of the nginx config file where I might be able to do this. Anyone have this working? Or how can a create a subdomain with synology’s ddns?

42

Just wanted to say thanks for taking the time to post this! It was exactly what I was looking for.

43

You’re welcome.

44

This post helped me a lot, but i’m still stuck on something.
When i want to go to: xxx.synology.me, i get a loading screen of HASS and then the error unable to connect.
Anyone has a fix for that?

1 Like
45

Did you recently updated your Synology? If so: DSM 6.2 resets your Portal.mustache again. Look at https://github.com/wilfredsmit/dsm-reverse-proxy-websocket.

46

I’m now running on DSM 6.1.7-15284 so normally it should be ok. Also because my other apps are working fine using nginx.

47

@doubleUS i don’t get it anymore. I tried everything using certificates, reverse proxy, even edited my iptables and then everything was broken. Still got the loadingscreen of homeassistant and then it says “Unable to connect”.

I saw in the logs that it says: (MainThread) [homeassistant.components.http.view] Serving /api/websocket to 192.168.0.x (auth: True)

Can you provide some help ?

EDIT

While typing this reaction i saw the github link you provided. I tried that link again and that did the magic. Finally it is working after trail and error. Thank you for sending the link!

48

@koenhaemels Glad you’ve got it solved!

49

I got everything working except Telegram.

In the error log, it says

Invalid telegram webhook http://[HA IP]:8123/api/telegram_webhooks must be https

In HA configuration, I don’t set base_url, ssl_certificate and ssl_key under the http: component.

Should I set the 3 variables under the http component?

If I added…

  base_url: !secret http_base_url
  ssl_certificate: !secret ssl_certificate
  ssl_key: !secret ssl_key

The Telegram works but the frontend stop working and gives this error…

[homeassistant.components.notify.rest] Error sending message. Response 502: Bad Gateway:

50

Did you managed to get it work?
Currently i don’t have any experience with telegram…

51

First I really want to say words of appreciation to @doubleUS and others for time spent on this and helping others. It helped me a lot.
I’d like to add my experience which works for me and could possibly help to next gens of users:

  • I have synology NAS with DSM 6.2.1-23824 Update 4 installed
  • I have HA run in docker container with use of http (no https)
  • I have lets encrypt certs in place for remote access to my synology box remotely
  • all you need to do is:
    • go to Control Panel/Application Portal/Reverse Proxy
    • create new reverse proxy:

25%20PM
25%20PM970×1206 71.5 KB

  • dont forget replace “your” to your own name at synology.me

  • add custom heaters:

    59%20PM
    59%20PM964×1196 39.7 KB

    this is needed to allow web sockets to work properly - i.e no need to change mustache files manually

  • go to External Access/Router Configuration

    • select “HTTPS, Reverse Proxy” with 443 port
    • click “Save” and allow open this in your router (I have Time Capsule and DMS does great job to auto setup port forwards)
      13%20PM
      13%20PM2176×1140 266 KB

  • you are done )

  • you dont need to do any changes in HA config for http section

  • you can access your HA as “https://your.synology.me” outside and inside your local network

  • you can continue use your fav local address of ha

6 Likes
52

``Super finally it worked with this simple reverse proxy thing @sergeymaysak thanks a lot ! Now if i go to my HA with https i cant get to my visual code cause it refere to my nas ip:port of vscode What do i need to set to see my setting via vscode or configurator?`

53

I’ve reading lots and lots of topics on this forum and I don’t get this to work. I really hope someone can give me a hint/solution.

I have the following configuration:

The problem is when I go to https://xxxx.duckdns.org it’s using the Certificate of my NAS and not the new duckdns.org certificate.

I know I’m missing something but I don’t know what. Who can point me to the right direction?

54

Why don’t you create a let’s encrypt certificate for duckdns.org in DSM and use the reverse proxy.

55

You are absolutely right! I finally was able to do this last week, while it failed many times earlier.
My solution was indeed, create a let’s encrypt certificate for duckdns.org in DSM and use the reverse proxy. :slight_smile:

56

Hi guys

I’m running via reverse proxy
https in and forwarded to http, and work like a charm

downside is that once in a while ( once a year ) Home assistant installed in my PI blocks my Synology nas with the internal IP beceause of false login attempts

False login from ( hacker ) is seen by the pi as 192.168.2.3 and blocks it and i have to clear the blacklist.

is there a way that i can copy/ paste : ( automatically ) the encryption files from the Synology nas to the pi so i can forward the port without using reverse proxy and still using the encryption . beceause i already have a domain name which i bought.

57

Same here, thanks!!